The paradigm of IT spending today is indicative of a lackluster economy in search of a business hero or savior. The shift from an exuberant market to its antithesis has left projects stranded in the desert of information technology, but is the security of your mail server real or a mirage? Is your approach to security proactive, or an inverted reflection of a distant future? Will your IT convoy prevail, or will hackers commandeer what's left of your security and take hostage your mail server?
We continue our Weakest Link series from my article "Database server security vs. the triple threat" and direct our attention to protecting the messenger (that is, your mail server). In this three-part series on mail server security, we will focus on getting the most security out of your Exchange 2000 Server, and look into extended Simple Mail Transfer Protocol (eSMTP). I encourage you to read through this series even if you administer or if you're working with a different brand of mail server. I'm confident that you will find some of this information relevant in your e-mail environment. Join me on a journey to explore and identify the security vulnerabilities in your network.
Before we get started, it's important that you remember that security is a moving target -- a perennial task -- that demands ongoing attention and modifications to combat existing and new forms of attacks. Layered security requires that you continually -- and not sporadically -- address the potential threats against any of the seven layers of the Open Systems Interconnect (OSI) model.
Be the first to know how your company mail server will respond by testing its security for holes or leaks on an ongoing basis. Make sure that you have covered the basic security steps, such as:
- Using unique folder locations for your Exchange Server files
- Using the appropriate folder and file permissions
- Using restricted user/mailbox permissions and quotas
- Using a secured - instead of an out-of-the-box - mail server configuration. In this mini-series, we will focus on security at the Exchange System Manager level.
When was the last time you consistently attempted to hack and test your mail server security?
Test your mail server security first
As the mail administrator, it's important that you have:
- An in-depth understanding of existing and potential security issues
- An ongoing dynamic security plan in place that addresses new threats
- An overall awareness of the security test results from consistent penetration testing against your mail server(s).
Make sure that you follow company protocol and adhere to policies and procedures before taking the initiative to address the need for penetration testing against your company's ongoing security. Consult with your IT manager first to develop a team-based security and test plan.
Is your Exchange 2000 Server running in Mixed Mode or Native Mode? Do you have a thorough understanding of your server configuration? Does this configuration precisely reflect your organizational structure?
Exchange organization properties
Unless your running a combination of Exchange 5.x and Exchange 2000 servers in your network, your server operation mode should be set to Native Mode, and not Mixed Mode. In some cases, a software development company may need to maintain an Exchange 5.x server in their QA department to test their MAPI application for backward compatibility. Although your corporate mail server is secured, what about the mail server(s) in your QA subnet or other parts of the company? You will need to take development, staging, and other QA servers that are accessible from the Internet into account when securing your corporate Exchange 2000 Server.
Restrict administration delegation
Not only should you eliminate unwanted routing groups/connectors (that is, other mail systems) to connect to your Exchange server, you should also keep the assignment of delegation control to the "chosen few", to avoid the "too-many-hands-in-the-cookie-jar" syndrome.
As you may already know, there is nothing preventing you (or another Exchange administrator) from assigning delegation control of the Exchange server to the group "Everyone" for the following roles: Exchange Administrator, Exchange Full Administrator (administer server plus permissions) and Exchange View Only Administrator.
To assign administration delegation, launch Exchange System Manager, right-click on your Organization object and select Delegate Control.
Apply the 4-R rule of administration
When in doubt as to deciding if a network administrator should be assigned privileges to administer part or your entire server, consider using my 4-R rule of administration as a guide. The 4-R rule of administration is: Retire or Renew based on Role or Requirements. Now is the time to verify who's on your delegation list and to renew/retire accounts based on the current role/requirements.
To MIME or not to MIME
An often-overlooked area is the MIME content type extensions registered in Exchange by default. It's critical that you understand that MIME content types utilize your Exchange Store and not just e-mail anymore. Program associations at this level can allow a browser (that is, Internet Explorer), an Outlook client, and an Outlook Express client to launch a program (e.g., Word) automatically. Unless your firewall administrator is blocking certain MIME content types at the firewall level, your Exchange server will allow your mail clients to automatically start up any program specified in Internet Message Formats.
To modify the list of MIME content type, start up Exchange System Manager and de-collapse Global Settings object. Then, right-click on Internet Message Formats and select Properties. Carefully review the list of extensions associated with content type and modify according to your environment.
Don't shoot the messenger
No doubt users want to be able to send and receive files and not have to worry about size limitation imposed on their messages. However, just as it is vital to add a connection limitation on static rules defined in your firewall (read my article Protect your firewall for more information), setting limitations on your mail server in Message Delivery for Outgoing Message Size, Incoming Message Size, and Recipients Limits is also crucial.
Say NO to unlimited value
In my opinion, keeping the default value of "unlimited" or "no limit" for any parameter on any server is asking for trouble -- at a minimum, a hacker can potentially use this against you. To enforce limitations, right-click on Message Delivery and select Properties. Then, go to the Defaults tab and enter an appropriate value that reflects your environment for each field.
You'll want to check your mail server logs and with your firewall administrator to obtain historical reports (60-90 days back) about inbound/outbound sessions to your mail server(s). In addition, you can check with your company's ISP for additional traffic information to your site. All of these sources can provide you with the information that you'll need to find realistic values that are appropriate for your server configuration.
Return to sender
By default, Exchange does not filter any e-mail. To prevent delivery of a message based on a sender, go to Filter tab in Message Delivery and enter the sender's e-mail address to block future e-mails from a specific sender.
It's been my experience that some of these basic steps have often been overlooked by experienced IT professionals. If you're serious about security, you must pay attention to security details and leave no room for hackers.
Please write to me or check out my Web site (www.medinasystems.com) and let me know if this article has brought to light any potential weak links in your network.
Continue to Protecting the messenger, part two: Is Microsoft your Internet Messiah?
Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in SearchNetworkings Ask the Expert section. Submit a security question to Luis here or view his previously answered Ask the Expert questions.